The Spring Security UI plugin, among other things, provides a registration page. On this page are 4 fields: username, email, password, and verify-password. It uses a regular architecture of controller and gsps. Staying with a single page registration for the user, I need to add a bunch of fields -- e.g. address, payment info, etc.
Any thoughts / recommendations on how to extend this plugin's page, so that I can get updated versions and incorporate them without too much re-integration. It's almost like one part of the page should go to the UI controller, and the other parts of the page should go to my controller. Note the UI controller usees regular forms (i.e. not ajax).
Thanks
To custom configure the Spring Security UI plugin I'd first of all have a look at the existing plugin code to get a handle on how it works and then run the override scripts that you require as detailed at:
http://burtbeckwith.github.com/grails-spring-security-ui/docs/manual/guide/10%20Customization.html
In your case you'd need:
grails s2ui-override register com.my.packagename
Jim.
Assuming you used the s2-quickstart script to create the domain classes, controllers, and GSPs, you have 2 options for customising the User domain class
add your custom properties (address, payment info, etc.) directly to the User domain class created by the plugin
create your own User domain class that extends the one generated by the plugin. Add your custom properties to the subclass
According to this article, the latter approach is preferable because:
because it allows you to easily update the generated user domain class
if its template ever changes. It also means you don't overly pollute
your domain model with Spring Security specifics. On the downside, you
have to deal with domain class inheritance, although the cost is
pretty minimal.
You'll also need to add the custom fields to the GSPs. The controller actions probably won't require any modifications.
Related
I am using ASP.NET WebAPI with the built in authentication and identity services that come with the Visual Studio template. I now have it that a user can access the system and be authenticated.
The next logical step is to allow the user to create records. Lets say the user can have a "Project". How can I associate the user with a project at the point the project is created? It seems logical that the project table will just store the user_id provided by User.Identity.GetUserId().
Now, say that a project consists of Tasks. By default the WebAPI will create a Tasks controller, where I post a task. I think I would need to inject some additional information (such as the project id) at the point of creating the task.
But, say someone wants to add a task a project that doesn't belong to them. I need to verify this by loading the project, and checking the user_id field. Now I am adding two repositories to my controller. This seems like a lot of work.
Is it my own laziness that makes this seem hard???
I think this might be a related question, as it seems like you are looking for record-level authorization.
MVC / ASP.Net Best Practice for Record-Level Authorization
There is merit also in using multiple repositories. See here for an example of use.
http://www.asp.net/mvc/overview/older-versions/getting-started-with-ef-5-using-mvc-4/implementing-the-repository-and-unit-of-work-patterns-in-an-asp-net-mvc-application
Here, you would wrap the multiple repositories up within the UnitOfWork class.
I hope this points you in the right direction.
I have an existing application that is a front end application which retrieves all of its information from external Web Services. I want to re-create this application using the Grails framework, however the use case is a bit odd. Grails is Model driven. In this case I really have no Database tables. My data is received real time through a web service call. My question to the community is how would you go about implementing the following use case:
Employee Search:
All employee data will come from a web service call. I need to allow the user to enter for example an "EmployeeID" and select a "Customer".
The Grails application then makes a web service query to the appropriate web service and pulls back the results.
HERE IS THE UNKOWN PART: What is the best way to take these results and fit them into the Grails model? In other words, I need to display a Data Grid of the results (Search Results). The grid should work like the Grails list action, allowing the user to sort on particular columns, pagination etc.
I would have to think that this use case is a common? What is the best way to lay a project like this down? Should I use external javaScript libraries like Dojo or JQuery to provide the grid functionality?
Performance is also a concern to an approach
There is no one single way to create Grails applications. Often applications do make use of domain classes that provide easy access to data in relational database tables, but you can easily switch to a NoSQL datastore or even use no direct persistence like in your application.
The simple answer to your question is that you should just create non-persistent data classes in src/groovy and src/java that represent the data you're working with from your web service calls. You can still use Grails for its controllers and GSPs, taglibs, services (non-transactional of course since there won't be database access), and also take advantage of the many available plugins.
You shouldn't have to do much to use the standard generated controllers and GSPs to display data with sorting and pagination. The generation scripts do expect domain classes, but you can cheat a bit to get those generated (and of course you can always code stuff by hand). For example if you have a Person class in src/groovy/com/yourcompany, move it to grails-app/domain:
package com.yourcompany
class Person {
String firstName
String lastName
}
Then run grails generate-all com.yourcompany.Person and it will create the controller and its unit test, and the GSPs. Now move it back to src/groovy and use it as you want. The GSPs don't expect domain classes, they just expect individual class instances or lists of instances.
You'll need to convert controller calls to stuff like person.save() to use your web services instead, but much of the code should be reusable.
One thing you can take advantage of is validation. You can annotate your classes with #Validateable and define constraints to take advantage of Grails validation for non-persistent classes - see the documentation for more details.
I am using spring-security-core and I have got more than ten controllers, I want to check whether user is logged in all the actions, I know one method of doing if(springSecurityService.isLoggedIn()) in all the actions, Is there any other way to do it, Instead of writing the same logic in all the actions/controllers
If you'd like to deny access to the actions entirely, there are a few ways of doing it.
You can put the #grails.plugins.springsecurity.Secured annotation on the controller class, or action method. You can also specify what needs authentication by URL by creating a request map. You can either create a Requestmap domain object, or you can create a static request map in your Config.groovy with the grails.plugins.springsecurity.controllerAnnotations.staticRules map.
There are more details in the Spring Security Core manual.
If it were me I would take ataylors answer one step further. Do as he said, but instead of copying and pasting the same code in all of your controllers just put it in the Controller.groovy template once then run the generate-all command. Templates are very powerful for things like this, and if you keep your templates up to date you can easily change 10 controllers, or 100 controllers as needed if/when your application evolves.
How to install templates:
http://grails.org/doc/latest/ref/Command%20Line/install-templates.html
I'm working on a project in Grails 2.0.RC1 and I'd like to be able to save the scaffolded controllers and views for my domain objects to have as a "low-level", developer only access to still tinker with things while being able to develop the production version of the views and controllers (with similar names, especially for controllers). I'd like to preserve them as-is, so I can re-generate them as I make updates to the domain layer, so just moving them is most likely not going to work.
I'm hoping there's a way to do some UrlMapping magic that would let me have requests for "/mgr/book" go to the scaffolded Book controller, but "/book" would go to my production controller. I can't find anything in the docs about how to have mappings for specific groups of controllers (without specifying each controller by name versus a $controller notation).
My other thought is to turn my domain layer into a plug-in and then create a separate project that would be just for the scaffolded views. This would be easier to remove before going to production, but also seems like more work, and raises the issue of running two grails apps at the same time on the same box.
I would advance you to go like your last idea. This is also my common approach:
Create an embeddable plugin for your domain model and common services. This also includes common plugins, like spring security and stuff. This will also reduce your dependency resolution time for the main-app btw.
Create an embeddable plugin for your scaffolded views. Change the template of the scaffolded controllers to require authentication and admin-group.
Your main-app uses both plugins.
This keeps your main-app clean and simple and you can still regenerate all your scaffolded views & controllers as you wish. And at least Eclipse STS hot-deployment will still work!
However there is no simple solution for seperating your scaffolded controllers URL-wise yet.
If you are using Spring Security, you should be able to use an InterceptUrlMap or RequestMap Instances to secure the controller URLs.
If your scaffold controllers are only used for scaffolding (and don't have other actions), then you should be able to use basic Secured annotations to secure the entire controller.
Then you can use the scaffolding like normal, protected behind a login.
Other security frameworks may provide similar access control.
I would like to restrict access only for ROLE_ADMIN users to all controllers introduced by the Spring Security UI plugin in grails. (I am using grails 1.3.7, plugins.spring-security-core=1.1.3 and plugins.spring-security-ui=0.1.2)
I can run the config script and create a blank controller for each of the various controllers the ui plugin defines, and decorate that blank controller with #Secured(['ROLE_ADMIN']), but that seems like a tedious and unnecessary approach. Is there a better way?
Thanks,
Gene
Since you're using annotations, the easiest way is to use the controllerAnnotations.staticRules config option. This is for static resources and controllers like these where you shouldn't edit them (or jump through hoops to secure them).
See section "5.1 Defining Secured Annotations" in http://grails-plugins.github.com/grails-spring-security-core/docs/manual/